 |
| Image Credits: Symantec |
Between January and February, Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, and the focus was on the Middle East Countries.
According to the blog post of Symantec’s Christian Tripputi, the attack starts with spam emails from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These mails include a malicious attachment that contain an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). The code is executed, If the users opens the attachment, which is Excel file. It leaves Trojan.Laziok on the computer.
To hides itself Trojan creates folder names in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory, and rename itself with well-known file names such as:
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\search.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\ati.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\lsass.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\smss.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\admin.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\key.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\taskmgr.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\chrome.exe
By collecting system configuration data such as Computer name, Installed software, GPU details, CPU details, Antivirus software, RAM size, Hard disk size, Trojan.Laziok begins its reconnaissance process.
After receiving the system configuration data, attackers infected the computers with additional malware, and distribute the customized copies of Trojan.Zbot and Backdoor.Cyberat which are specifically tailored for the compromised computer’s profile.
Symantec and Norton products have protections against this campaign.
Malware infections through spam campaigns can be avoided by not clicking on links in unsolicited, unexpected, or suspicious emails; avoid opening attachments in unsolicited, unexpected, or suspicious emails; use comprehensive security software, such as Symantec Endpoint Protection or Norton Security, to protect yourself from attacks of this kind; take a security layered approach for better protection; keep your security software up to date; apply patches for installed software on a timely basis.
